Kemparaj Praneeth SUITEB 192-BIT, WPA3 SUITEB, WPA3-ENTERPRISE

WPA3 SuiteB-192 Bit Authentication with WPA Supplicant in 6Ghz Band.

In this post , We will understand the steps needed to setup WPA3 SuiteB 192 bit Authentication using wpa supplicant in 6Ghz Band. This is the highest level security that has been implemented by 802.11 standard till date.

These SuiteB 192 bit authentication methods will provide very high security during authentication.

The ciphers supported in this SuiteB 192 bit authentications are being used by Commercial National Security Algorithm (CNSA) , and is commonly deployed in very high security wifi deployments (ex : Defense, Government Organizations, Finance etc..)

The below ciphers are being used in SuiteB-192 Mode and this WPA3-Enterprise authentication is exclusively for TLS only (certificate based mutual authentication).

Below are the ciphers that are being used in SuiteB-192 bit mode.

  1. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  2. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  3. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Below is the call flow for WPA3 Suite B authentication and below are the steps that we need to follow to make the successful authentication.

  1. Generate 4096 bit client/server certs [Suite-B-192 bit supports only 4096 bit RSA certs] , use openssl to generate the certs
  2. Compile WPA supplicant with SUITE B ciphers
  3. Create Free Radius server
  4. Place the 4096 bit certs in the proper path in client and radius server
  5. Connect the WiFi 6E client (Ubuntu Client) using WPA supplicant with WiFi6E AP
Figure 1 : WPA3 SuiteB Enterprise Authentication call flow

Use the below configuration file for wpa supplicant file.

Once we initiate the connection from client side, we see the below cipher suites that are supported for wpa3-suiteb, this info is being sent from client.

Figure 2 : Ciphers supported for WPA3 suite-b (Wireshark capture)

client and server will agree on the cipher that is to be used, here the selected cipher is
ECDHE-RSA-AES256-GCM-SHA384 by server.

Figure 3 : SuiteB cipher selected by Server

Once we initiate the connection, we see the following in the wpa supplicant after the successful authentication. We can also see Suite B-192 bit authentication happened for the SSID in 6Ghz band (frequency 6215) with the negotiated cipher.

Figure 2 : Client Status after WPA3 Suite B authentication

In the above picture also observe the TLS cipher, it is only supported by suite-b 192 bit type ciphers.